Releases: containers/bubblewrap
0.9.0
Build system
- Building this version of bubblewrap with Meson is recommended. The source release
bubblewrap-0.9.0.tar.xz
no longer contains Autotools-generated files, although this version can still be built using Autotools after running./autogen.sh
. Future versions are likely to remove the Autotools build system altogether.
New features
- Add
--argv0
(#91)
Other enhancements
--symlink
is now idempotent, meaning it succeeds if the symlink already exists and already has the desired target (#549, flatpak/flatpak#2387, flatpak/flatpak#3477, flatpak/flatpak#5255)- Clarify security considerations in documentation (#555, #560, #621)
- Clarify documentation for
--cap-add
(#562) - Report a better error message if
mount(2)
fails withENOSPC
(#615, ValveSoftware/steam-runtime#637) - Make it easier to add new unit tests (#420)
- Drop support for ancient Python versions in demo code
Bug fixes
- Fix a double-close on error reading from
--args
,--seccomp
or--add-seccomp-fd
argument (#558) - Improve memory allocation behaviour (#556, #624)
- Silence various compiler warnings (#559)
- Silence an Automake warning (#622)
- Fix a test failure when running as uid 0 in a container (#488)
- Fix a test failure when
/mnt
is a symlink (#599) - Fix a test failure on NixOS (#603)
c6347eaced49ac0141996f46bba3b089e5e6ea4408bc1c43bab9f2d05dd094e1 *bubblewrap-0.9.0.tar.xz
0.8.0
New features:
- Add
--disable-userns
option to prevent the sandbox from creating its own nested user namespace (#488) - Add
--assert-userns-disabled
option to check that an existing userns was created with--disable-userns
(#488) - Give a clearer error message if the kernel doesn't have
CONFIG_SECCOMP
andCONFIG_SECCOMP_FILTER
(#550)
Bug fixes:
- Fix test failure with recent versions of
capsh
(#544) - Fix test failure since 0.7.0 when not using post-2013 GNU coreutils (#539)
- Fix test failure since 0.7.0 if bubblewrap is setuid (#539)
Known issues:
- Tests fail if run as root (#554)
$ sha256sum -b bubblewrap-0.8.0.tar.xz
957ad1149db9033db88e988b12bcebe349a445e1efc8a9b59ad2939a113d333a *bubblewrap-0.8.0.tar.xz
v0.7.0
New features:
--size
option controls the size of a subsequent--tmpfs
(#509)- Better error messages if a mount operation fails (#472)
- Better error message if creating the new user namespace fails with
ENOSPC
(#487) - When building as a Meson subproject, a
RUNPATH
can be set on the executable to make it easier to bundle itslibcap
dependency
Bug fixes:
- When building with Autotools, ensure initial setup for
pkg-config
is not disabled by--with-bash-completion-dir=PATH
(#316, #342, #441) - Fix test failures when running as uid 0 but with limited capabilities (#510)
- Use POSIX
command -v
in preference to non-standardwhich
(#527) - Fix a copy/paste error in
--help
(#531)
$ sha256sum -b bubblewrap-0.7.0.tar.xz
764ab7100bd037ea53d440d362e099d7a425966bc62d1f00ab26b8fbb882a9dc *bubblewrap-0.7.0.tar.xz
0.6.2
New features in Meson build:
- Auto-detect whether the man page can be generated
-Dbwrapdir=...
changes the installation directory (useful when being used as a subproject)-Dtests=false
disables unit tests
Bug fixes:
- Add
--add-seccomp-fd
to shell completions - Document
--add-seccomp-fd
,--json-status-fd
and--share-net
in the man page - Add attributes to silence various compiler warnings
- Allow compilation of tests with musl on mips architectures
- Allow compilation with older glibc
- Disable sanitizers for a test helper whose seccomp profile breaks the instrumentation
- Disable AddressSanitizer leak detection where it interferes with unit testing
$ sha256sum -b bubblewrap-0.6.2.tar.xz
8a0ec802d1b3e956c5bb0a40a81c9ce0b055a31bf30a8efa547433603b8af20b *bubblewrap-0.6.2.tar.xz
0.6.1
0.6.0
New features:
- New
--add-seccomp
option can be used to add more than one seccomp program (#453) - Add a warning when repeating options where only the last one will be used, in particular
--seccomp
(#454) - Add a Meson build system. (#432)
- This can be used as a subproject by larger Meson projects. When used as a subproject, the
-Dprogram_prefix
option is required: seetests/use-as-subproject/
for an example. - There is no equivalent of the
--with-priv-mode=setuid
option in this build system. Distributions that still require a setuid bubblewrap executable will need tochown
andchmod
the executable appropriately as a separate step in their packaging. - The Autotools build system is still supported in this release, but might be removed in a future release if the Meson build system is sufficiently successful.
- This can be used as a subproject by larger Meson projects. When used as a subproject, the
Bug fixes:
- Invoke bash via
PATH
for better compatibility with non-FHS operating systems - Exit early when
argc == 0
, to harden against the equivalent of CVE-2021-4034 (this is not a security issue in our case)
Other changes:
- The default branch is now named
main
- Partial REUSE support (add SPDX-License-Identifier to many source files)
- Remove old CI integration
$ sha256sum -b bubblewrap-0.6.0.tar.xz
11393cf2058f22e6a6c6e9cca3c85ff4c4239806cb28fee657c62a544df35693 *bubblewrap-0.6.0.tar.xz
Release 0.5.0
New features:
--chmod
changes permissions--clearenv
unsets every environment variable (exceptPWD
)--perms
sets permissions for one subsequent--bind-data
,--dir
,--file
,--ro-bind-data
or--tmpfs
Other enhancements:
- Better diagnostics when a
--bind
or other bind-mount fails zsh
tab-completion- Better test coverage
Bug fixes:
- Use Python 3 for tests and examples
- Mount points for non-directories are created with permissions
-r--r--r--
instead of-rw-rw-rw-
- Don't remount items in
/proc
read-only if alreadyEROFS
, required to run under Docker - Allow mounting an non-directory over an existing non-directory, e.g.
--bind "$XDG_RUNTIME_DIR/my-log-socket" /dev/log
- Silence kernel messages for our bind-mounts
- Make sure
pkg-config
is checked for, regardless of build options - Improve ability to bind-mount directories on case-insensitive filesystems
- Fix
-Wshadow
warnings - Fix deprecation warnings with newer SELinux
$ sha256sum -b bubblewrap-0.5.0.tar.xz
16fdaf33799d63104e347e0133f909196fe90d0c50515d010bcb422eb5a00818 *bubblewrap-0.5.0.tar.xz
Release 0.4.1
This release fixes a privilege escalation bug pointed out by Stephen Röttger, where in some setups
bubblewrap can be used to gain root permissions. Only version 0.4.0 is vulnerable, and only
if installed setuid while at the same time the kernel supports unprivileged user namespaces.
More details in the advisory here:
Additionally there are some minor changes:
- Always clear the capability bounding set (cosmetic issue)
- Make the tests work with libcap >= 2.29
- Properly report child exit status in some cases
Alexander Larsson (9):
Ensure we're always clearing the cap bounding set
Don't rely on geteuid() to know when to switch back from setuid root
Don't support --userns2 in setuid mode
drop_privs: More explicit argument name
Christian Kastner (1):
tests: Update output patterns for libcap >= 2.29
Jean-Baptiste BESNARD (1):
retcode: fix return code with syncfd and no event_fd
TomSweeneyRedHat (1):
Add Code of Conduct
Release 0.4.0
The biggest feature in this release is the support for joining
existing user and pid namespaces. This doesn't work in the setuid
mode (at the moment).
Other changes:
- Stores namespace info in status json
- In setuid mode pid 1 is now marked dumpable
- Now builds with musl libc
Alexander Larsson (17):
Tests: Fix test count
setuid mode: Properly drop privs in monitor and pid1
Mark init process as dumpable so we can see stuff in its /proc
Add support for --userns and --userns2
tests: test --userns
utils: Add some utility function to pass pids over a socket
utils: Add fork_intermediate_child() helper
Add support for --pidns
Add tests for --pidns
tests: Better error message if assert_files_equal fails
Fix typo in comment
Drop cap bounding set also in --userns case
Allow --uid and --gid with --userns
tests: Fix --userns tests
--userns --uid: Only swtich user if needed
Merge pull request #338 from containers/reuse-namespaces
Bump 0.4.0
Christian Kellner (3):
bwrap: set opt_unshare_cgroup when _try succeeds
bwrap: include the pid namespace id in status/json
tests: check namespace info in json
Colin Walters (1):
Post-release version bump
Jonathan Lebon (1):
ci: Bump to fedora/29/atomic
shawrkbait (1):
Add work-around for TEMP_FAILURE_RETRY to support musl
Git-EVTag-v0-SHA512: d3f07f58b50c579b27470722edfc87b741465ca37ff4d40c9f715d610a69a80a6e6035a0dee678158c1dd77edb0b06bed3ffd6393a784d4ed975c092eb151952
0.3.3
[This release is the same as 0.3.2
but the version number in configure.ac
was accidentally still set to 0.3.1
)
This release fixes a mostly theoretical security issue in unusual/broken
setups where $XDG_RUNTIME_DIR
is unset.
There are some other smaller fixes, as well as an addition to the JSON
API that allows reading the inner process exit code, separately from
the bwrap
exit code.
Thanks to all contributors!
Iain Lane (1):
tests: Handle systems without merged-/usr
Jakub Wilk (2):
Fix typos
Print "Out of memory" on stderr, not stdout
Richard Maw (3):
Revert "README.md: Delete cat logo picture (not DFSG compliant)"
bwrap: add option json-status-fd to show child exit code
bwrap: Report COMMAND exit code in json-status-fd
Simon McVittie (3):
man page: Describe --chdir, not nonexistent --cwd
Don't create our own temporary mount point for pivot_root
tests: Ensure that tmpfs with oldroot/newroot doesn't appear in container
Timothy E Baldwin (1):
Make lockdata long enough on 32-bit with 64-bit file pointers.
Git-EVTag-v0-SHA512: 1320cc04e853be996e6fa53fb3e472f732ac02855ab05984fa3350aed1d8760fc3b9eac0e6af06843a1f6265afe424e042c937d64606ef2eb29ec53a3539c217